CVE-2026-50591
Description
Stored XSS in Znuny LTS and Znuny via user preferences allows execution of injected JavaScript when preferences are displayed.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Znuny LTS and Znuny via user preferences allows execution of injected JavaScript when preferences are displayed.
Vulnerability
A Stored Cross-Site Scripting (XSS) vulnerability exists in Znuny LTS versions before 6.5.21 and Znuny versions before 7.3.3. The issue stems from insufficient output encoding when handling user preferences stored in the database, allowing previously injected JavaScript to execute when these preferences are displayed [1].
Exploitation
An attacker can exploit this vulnerability by injecting malicious JavaScript into user preferences. This script will be executed when another user views the affected preference within the security context of their own session. No specific user interaction beyond viewing preferences is required for exploitation [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim user's session. This can lead to session hijacking, data theft, or further malicious actions performed on behalf of the victim user, depending on the privileges of the compromised session [1].
Mitigation
This vulnerability is fixed in Znuny LTS version 6.5.21 and Znuny version 7.3.3. Users are advised to update to these versions or later to address the vulnerability [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.